shroud-privacy 2.2.11 → 2.2.13

package/dist/detectors/injection.js

@@ -1,269 +0,0 @@
-/**
- * Prompt injection signature detector.
- *
- * Scans text for known injection patterns on the request side
- * (direct/indirect injection) and response side (exfiltration confirmation).
- *
- * This is a standalone scanner — it does NOT integrate into the obfuscation
- * detector chain. The obfuscation pipeline remains untouched.
- */
-import { ThreatClass, } from "../security-event.js";
-import { REQUEST_SIGNATURES, RESPONSE_SIGNATURES, } from "./injection-signatures.js";
-import { MULTILINGUAL_REQUEST_SIGNATURES, } from "./injection-multilingual.js";
-/** Injection keywords checked inside decoded Base64 payloads. */
-const BASE64_INJECTION_KEYWORDS = [
-    "ignore",
-    "instructions",
-    "system prompt",
-    "override",
-    "jailbreak",
-    "disregard",
-    "forget",
-    "bypass",
-    "unrestricted",
-    "developer mode",
-    "you are now",
-    "act as",
-];
-const SEVERITY_RANK = {
-    low: 0,
-    medium: 1,
-    high: 2,
-};
-/**
- * Check if a text span is inside quotation marks, backticks, or code blocks.
- * Used to reduce severity of injection patterns that are being discussed/quoted
- * rather than used as actual attacks.
- */
-function isInsideQuotes(text, matchStart, matchEnd) {
-    // Look backwards from matchStart for an unmatched opening quote
-    const before = text.slice(Math.max(0, matchStart - 200), matchStart);
-    const after = text.slice(matchEnd, Math.min(text.length, matchEnd + 200));
-    // Check for surrounding double quotes
-    if (before.includes('"') && after.includes('"')) {
-        const lastQuoteBefore = before.lastIndexOf('"');
-        const quotesBefore = before.slice(lastQuoteBefore).split('"').length - 1;
-        if (quotesBefore % 2 === 1)
-            return true; // odd number = inside quotes
-    }
-    // Check for surrounding single quotes
-    if (before.includes("'") && after.includes("'")) {
-        const lastQuoteBefore = before.lastIndexOf("'");
-        const quotesBefore = before.slice(lastQuoteBefore).split("'").length - 1;
-        if (quotesBefore % 2 === 1)
-            return true;
-    }
-    // Check for backticks (inline code)
-    if (before.includes("`") && after.includes("`"))
-        return true;
-    // Check for parenthetical context: (DAN), (XSS), etc.
-    // The match might include the closing paren, so check if before ends with (
-    // or the matched text itself starts right after a (
-    if (before.endsWith("("))
-        return true;
-    if (before.trimEnd().endsWith("("))
-        return true;
-    // Check for 'like "X"' or 'such as "X"' or 'phrases like "X"' patterns
-    // These indicate the text is being discussed, not executed
-    const discussionPatterns = /(?:like|such\s+as|example|e\.g\.|called|known\s+as|termed|phrase|pattern|classified|documented|described|first\s+appeared)/i;
-    if (discussionPatterns.test(before.slice(-100)))
-        return true;
-    return false;
-}
-/**
- * Strip token smuggling characters — invisible Unicode chars that attackers
- * insert between tokens to break regex matching.
- *
- * Strips: zero-width space (U+200B), zero-width non-joiner (U+200C),
- * zero-width joiner (U+200D), byte order mark (U+FEFF), word joiner (U+2060),
- * soft hyphen (U+00AD), Mongolian vowel separator (U+180E),
- * and all variation selectors (U+FE00-FE0F).
- */
-function stripTokenSmuggling(text) {
-    return text.replace(/[\u200B\u200C\u200D\uFEFF\u2060\u00AD\u180E\uFE00-\uFE0F]/g, "");
-}
-/**
- * Standalone injection scanner. Not a BaseDetector — runs parallel to
- * the obfuscation pipeline, never touches entity replacement.
- */
-export class InjectionDetector {
-    _config;
-    _requestSigs;
-    _responseSigs;
-    _externalRequestSigs = [];
-    _externalResponseSigs = [];
-    constructor(config) {
-        this._config = config;
-        const minRank = SEVERITY_RANK[config.minSeverity];
-        // Pre-filter signatures by severity and disabled list
-        // Include multilingual patterns alongside English ones
-        this._requestSigs = [...REQUEST_SIGNATURES, ...MULTILINGUAL_REQUEST_SIGNATURES].filter((s) => !config.disabledSignatures.has(s.id) &&
-            SEVERITY_RANK[s.severity] >= minRank);
-        this._responseSigs = RESPONSE_SIGNATURES.filter((s) => !config.disabledSignatures.has(s.id) &&
-            SEVERITY_RANK[s.severity] >= minRank);
-    }
-    /** Hot-load external signatures. Atomic swap — takes effect on next scan. */
-    loadExternalSignatures(sigs) {
-        const minRank = SEVERITY_RANK[this._config.minSeverity];
-        const asSigDef = sigs.map(s => ({
-            id: s.id,
-            threatClass: s.threatClass,
-            pattern: s.pattern,
-            severity: s.severity,
-            description: s.description,
-            direction: s.direction,
-        })).filter(s => !this._config.disabledSignatures.has(s.id) &&
-            SEVERITY_RANK[s.severity] >= minRank);
-        this._externalRequestSigs = asSigDef.filter(s => s.direction === "request" || s.direction === "both");
-        this._externalResponseSigs = asSigDef.filter(s => s.direction === "response" || s.direction === "both");
-    }
-    /** Get count of loaded external signatures. */
-    getExternalSignatureCount() {
-        return this._externalRequestSigs.length + this._externalResponseSigs.length;
-    }
-    /** Scan request/outbound text for injection patterns. */
-    scanRequest(text) {
-        if (this._config.action === "off")
-            return [];
-        // Token smuggling defence: strip invisible characters then re-scan.
-        // Attackers insert zero-width spaces, soft hyphens, word joiners etc.
-        // between tokens to break regex matching: "ig​nore pre​vious in​structions"
-        const cleaned = stripTokenSmuggling(text);
-        const smuggled = cleaned !== text;
-        const allRequestSigs = this._externalRequestSigs.length > 0
-            ? [...this._requestSigs, ...this._externalRequestSigs]
-            : this._requestSigs;
-        const events = this._scanPatterns(text, allRequestSigs, "request");
-        // If smuggling chars were present, also scan the cleaned version
-        // to catch patterns that were broken by invisible chars
-        if (smuggled) {
-            const cleanedEvents = this._scanPatterns(cleaned, this._requestSigs, "request");
-            // Add cleaned-text detections that weren't found in original
-            const existingIds = new Set(events.map(e => e.signatureId));
-            for (const evt of cleanedEvents) {
-                if (!existingIds.has(evt.signatureId)) {
-                    evt.description = `[token-smuggling stripped] ${evt.description}`;
-                    events.push(evt);
-                }
-            }
-            // Also flag the smuggling itself
-            const action = this._config.action === "block" ? "blocked" : "flagged";
-            events.push({
-                timestamp: Date.now(),
-                eventType: "injection_detected",
-                direction: "request",
-                threatClass: ThreatClass.ENCODING_BYPASS,
-                signatureId: "eb_token_smuggling",
-                severity: "medium",
-                matchedText: `[${text.length - cleaned.length} invisible chars stripped]`,
-                matchStart: 0,
-                matchEnd: text.length,
-                textLength: text.length,
-                action,
-                description: `Token smuggling: ${text.length - cleaned.length} invisible characters removed, revealing injection patterns`,
-            });
-        }
-        // Base64 decode-and-rescan
-        events.push(...this._scanEncodedPayloads(text, "request"));
-        return events;
-    }
-    /** Scan response/inbound text for exfiltration patterns. */
-    scanResponse(text) {
-        if (this._config.action === "off" || !this._config.scanResponses)
-            return [];
-        const allResponseSigs = this._externalResponseSigs.length > 0
-            ? [...this._responseSigs, ...this._externalResponseSigs]
-            : this._responseSigs;
-        return this._scanPatterns(text, allResponseSigs, "response");
-    }
-    _scanPatterns(text, signatures, direction) {
-        const events = [];
-        const action = this._config.action === "block" ? "blocked" : "flagged";
-        for (const sig of signatures) {
-            // Reset lastIndex for global regexes
-            sig.pattern.lastIndex = 0;
-            let match;
-            while ((match = sig.pattern.exec(text)) !== null) {
-                // Skip OpenClaw system context: "System: [2026-03-30 10:11:29 GMT+2]"
-                // This is structural metadata, not a conversation mockup injection.
-                if (sig.id === "cm_role_markers") {
-                    const after = text.slice(match.index + match[0].length - 1, match.index + match[0].length + 30);
-                    if (/^\[\d{4}-\d{2}-\d{2}/.test(after))
-                        continue;
-                }
-                // Context-aware severity reduction: if the match is inside
-                // quotation marks or backticks, it's likely being discussed/quoted
-                // rather than used as an attack. Reduce severity to "low".
-                let severity = sig.severity;
-                if (isInsideQuotes(text, match.index, match.index + match[0].length)) {
-                    severity = "low";
-                }
-                events.push({
-                    timestamp: Date.now(),
-                    eventType: "injection_detected",
-                    direction,
-                    threatClass: sig.threatClass,
-                    signatureId: sig.id,
-                    severity,
-                    matchedText: match[0].slice(0, 200),
-                    matchStart: match.index,
-                    matchEnd: match.index + match[0].length,
-                    textLength: text.length,
-                    action,
-                    description: severity !== sig.severity
-                        ? `[quoted context] ${sig.description}`
-                        : sig.description,
-                });
-                // For non-global patterns, break after first match
-                if (!sig.pattern.global)
-                    break;
-            }
-        }
-        return events;
-    }
-    /**
-     * Detect Base64-encoded injection payloads.
-     *
-     * Finds Base64-looking blocks (40+ chars), decodes them (sync via Buffer),
-     * and checks if the decoded text contains injection keywords.
-     */
-    _scanEncodedPayloads(text, direction) {
-        const events = [];
-        const action = this._config.action === "block" ? "blocked" : "flagged";
-        const b64Re = /[A-Za-z0-9+/]{40,}={0,2}/g;
-        let match;
-        while ((match = b64Re.exec(text)) !== null) {
-            try {
-                const decoded = Buffer.from(match[0], "base64").toString("utf-8");
-                // Check if decoded text is mostly printable ASCII (heuristic for valid text)
-                const printableRatio = decoded.replace(/[^\x20-\x7E]/g, "").length / decoded.length;
-                if (printableRatio < 0.7)
-                    continue;
-                const lower = decoded.toLowerCase();
-                for (const keyword of BASE64_INJECTION_KEYWORDS) {
-                    if (lower.includes(keyword)) {
-                        events.push({
-                            timestamp: Date.now(),
-                            eventType: "injection_detected",
-                            direction,
-                            threatClass: ThreatClass.ENCODING_BYPASS,
-                            signatureId: "eb_base64_injection",
-                            severity: "high",
-                            matchedText: `[base64→"${decoded.slice(0, 100)}"]`,
-                            matchStart: match.index,
-                            matchEnd: match.index + match[0].length,
-                            textLength: text.length,
-                            action,
-                            description: `Encoding bypass: Base64-encoded text contains injection keyword "${keyword}"`,
-                        });
-                        break; // One event per base64 block
-                    }
-                }
-            }
-            catch {
-                // Invalid base64 — skip
-            }
-        }
-        return events;
-    }
-}

package/dist/detectors/tool-guard.d.ts

@@ -1,27 +0,0 @@
-/**
- * Tool call guard — detects dangerous tool invocations.
- *
- * Scans tool names and parameters for destructive, exfiltration,
- * or privilege escalation patterns. Runs in the before_tool_call hook
- * where it can BLOCK the call before execution.
- *
- * This is the "exec shutdown" detector — catches:
- * - Destructive commands (rm -rf, drop table, shutdown, format, kill -9)
- * - Exfiltration (curl/wget to external, scp, netcat listeners)
- * - Credential access (cat /etc/shadow, reading .ssh keys)
- * - Reverse shells (bash -i >& /dev/tcp, nc -e, python -c import socket)
- * - Privilege escalation (sudo, su, chmod 777, chown root)
- * - Crypto mining (xmrig, minerd, coin patterns)
- */
-import { SecurityEvent } from "../security-event.js";
-/**
- * Scan a tool call for dangerous patterns.
- *
- * @param toolName - The tool being called (e.g. "exec", "write", "code_execution")
- * @param params - The tool parameters (will be serialized to JSON for scanning)
- * @returns Array of security events. Check `.block` on the pattern for block recommendation.
- */
-export declare function scanToolCall(toolName: string, params: unknown): {
-    events: SecurityEvent[];
-    shouldBlock: boolean;
-};